title: PowerShell Network Connections status: experimental description: "Detetcs a Powershell process that opens network connections - check for suspicious target ports and target systems - adjust to your environment (e.g. extend filters with company's ip range')" author: Florian Roth references: - https://www.youtube.com/watch?v=DLtJTxMWZ2o logsource: product: windows service: sysmon detection: selection: EventID: 3 Image: '*\powershell.exe' filter: DestinationIp: - '10.*' - '192.168.*' - '172.*' - '127.0.0.1' DestinationIsIpv6: 'false' User: 'NT AUTHORITY\SYSTEM' condition: selection and not filter falsepositives: - Administrative scripts level: low